Re: Q: Hiding M$ Exchange behind a firewall ?

To: steiner@msteiner.co.at
Cc: debian-user@lists.debian.org
Subject: Re: Q: Hiding M$ Exchange behind a firewall ?
From: Robert Waldner <Waldner@KPNQwest.at>
Date: Sat, 23 Dec 2000 09:49:44 +0100
Message-id: <[🔎] 200012230849.JAA27812@cruncher.Austria.EU.net>
In-reply-to: Your message of "Fri, 22 Dec 2000 22:55:49 +0100." <3A43CDE5.FE454005@aon.at>

On Fri, 22 Dec 2000 22:55:49 +0100, Michael Steiner writes:
>Robert Waldner wrote:
>> 
>> On Fri, 22 Dec 2000 16:24:16 +0100, Michael Steiner writes:
>> <snip>
>> 
>> Well, the quickfix would be a virtusertable containing something like
>>  user@official.domain       user@internal.name.of.exchange
>> for each&every user.
>> 
>snip
>
>This is what I'm doing here at my home configuration, but for the office
>it was my horor-vision. I thought I could do it in the simple way like:
>
>*@official.domain   $1 or *@internal.name.of.exchange
>                    ^^    ^
>                    - whatever the correct syntax would be
>
>When I tried to change our network-config in office I learned that does
>not work. Sendmail rejected all incoming mails. Exchange didn't send out
>mails because it didn't find the official.domain.

http://www.sendmail.org/virtual-hosting.html

the virtusertable should look like:

@yourdomain.com         %1@othercompany.com

now the exchange needs to feel responisble for othercompany.com. I 
 strongly suggest to also use the sendmail for outgoing mail, so define 
 it as smarthost (dunno how this feature´s called with exchange) and 
 get sendmail to hide it from the world, eg via
MASQUERADE_AS(official.domain)
 (and, maybe,
FEATURE(`masquerade_envelope')
 ). now it only has to relay for the exchange:
/etc/mail/relay-domains:
internal.name.of.exchange     RELAY

and et voila, it should be done. my sendmail knowledge ends here, if I 
 got something wrong, some guru please correct me ;-)

I also recall seeing a thread about exactly this situation sometime 
 this year in <news:at.linux> so you might want to search deja.com for 
 it (at.linux, eg german spoken only there ;-) ).

>One additional question I have to you, because I'm running a local
>name-server. (bind) with 2 master-zones set. One for the DMZ and one for
>the internal zone.
>In my understanding it should not be necessary, but to be shure - Do I
>have to set additional entries in my master-zone files like MX records ?

if you´re primare NS for official.domain: yes. first MX (eg lower 
 precedence) should point to the sendmail (to the DNS-name with the 
 official IP-address), second one to your ISPs mail-backup.

internal it shouldn´t be necessary, just make sure that your internal 
 names&addresses aren´t accessible for the outside world, eg use an 
 access-list like

acl noexternal {
                192.168.0.0/16;
                127.0.0.0/8;
                10.0.0.0/8;
                !0/0;
               };

zone "intern.waldner.priv.at" {
        type master;
        file "master/intern.waldner.priv.at";
        allow-query { noexternal; };
};

>So 2nd chance to change the system in office with the long version of
>vitualusertable will be 2nd January. (after holidays)

good luck ;-) !

cheers,
&rw
-- 
/  Ing. Robert Waldner  | Network Engineer | T: +43 1 89933  F: x533 \ 
\ <Waldner@KPNQwest.at> |    KPNQwest/AT   | Diefenbachg. 35, A-1150 /

Reply to:

Prev by Date: Junkbuster "Ho hum"
Next by Date: How I got ALSA sound drivers kind of working
Previous by thread: Re: Q: Hiding M$ Exchange behind a firewall ?
Next by thread: PowerPC boot disk with USB support????
Index(es):
- Date
- Thread